Pix via ssh - how to reach required privilege level?

[Emre Bastuz]

Hi Jordan,

Zitat von Fred Jordan <fjordan at hcssun01.hcs.net>:
> We have not tried to use rancid for collecting PIX configs but would be
> very interested in how to do this. How do you tell rancid to use ssh
> instead of telnet; in the entry in the router.db file?
you just have to add several line to your .cloginrc, that might look like this:

add user mypix.emre.de rancidpixuser
add password mypix.emre.de myPassword4Rancid
add cyphertype mypix.emre.de des
add method mypix.emre.de ssh

The first two lines are the username and password being used when trying to
login via ssh.

The line "cyphertype" specifies the cypher ssh will try to use. Not all pix
firewalls have a 3des licence installed so using "des" made it work in my case.

The last line tells rancid to use ssh instead of telnet.

I felt uncomfortable having my enable password in the .cloginrc as cleartext so
I added a local user to the pix that has the privilege for the show commands
only.

That´s where I got stuck: you can successfully login into the pix but are then
supposed to do a "login" first (instead of an "enable").

My guess is that if you have your enable password for the pix in the cloginrc
you will be able to collect your config with rancid.

If you create a local user on the pix you´ll probably be stuck the same way that
I am.

Cheers,

Emre

--
http://www.emre.de                        UIN: 561260
PGP Key ID: 0xAFAC77FD

I don't see why some people even HAVE cars. -- Calvin